2018-12-06 03:21 AM
How to do parser via RSA NetWitness Log Parser Tool?
I can not know how to do.
I tried. but it is not worked properly.
Can you provide some guide?
I am parsing with window logs.
I thinks it is Supported Event Sources of RSA.
Can you provide the parsered file?
Thanks.
2018-12-06 03:27 AM
What exactly are you trying to do?
Have you seen this video? RSA ESI Beta 3 - YouTube
The ESI tool was the name before LPT
2018-12-06 08:38 AM
There is a free 30 minute eLearning video available here:
https://community.rsa.com/docs/DOC-85205
It has a great demo by Dave Glover.
Hope this helps.
Bob
2018-12-09 08:57 PM
Hi, RSA support team.
I tried to extract data on "meta data" tab(I'm not sure exactly tab name) with process_id, event.cat.name, process, event_time, h_code, account_id, hostname, event_description and so on.
But on "meta data" tab, it was shown part of things i had extracted.
Could you please explain how to make showing on meta data tab?
PS. If window snare logs are provided by RSA as supported sources, could you provide the xml file?
Thanks in advance.
Best regards.
Seungho Lee
Sopra Steria
3 Fusionopolis Way, Symbiosis #12-27
138633 Singapore - Singapore
Phone: +65 7571 5999 - Mobile: +65 8287 7662
seungho.lee@soprasteria.com<mailto:oliver.chung@soprasteria.com> - www.soprasteria.sg<http://www.soprasteria.sg/>
The content of this message may be confidential, legally privileged and protected by law. Unauthorized use, copying or disclosure of any of it may be unlawful. If you are not the intended recipient please notify the sender and remove it from your system. While attachments to this e-mail are checked for viruses, we do not accept any liability for any damage sustained by viruses.
Before printing, think about the environment.
2018-12-24 02:46 PM
make sure you have deployed the most current parser for your event source (what is the source system that you are attempting to log)
https://community.rsa.com/community/products/netwitness/parser-network/event-sources
event sources are listed here, if its windows, how are you collecting (snare agent, wmi, nxlog ...)
make sure the parser is subscribed and deployed to your log decoders
what is the outcome of the log parsing?
provide screenshots of where you thing the error is as well as what you expect the outcome should be.
not enough information shared in the post to get any sense of what could be the issue.
please review the details and provide the information to enable us to assist you as best we can.
2018-12-25 10:37 PM
Hi,
We are collecting window logs via snare agent.
Could you please provide XML file of this?
I have to extract(for display in "View Meta" tab of RSA SIEM) all part of window logs as customer's request.
So I tried to extract with process_id, event.cat.name, process, event_time, h_code, account_id, hostname, event_description and so on as provided by RSA.
But on "View Meta" tab, only some of things i extracted are shown.
How to make all of them shown on "View Meta" tab?
Thanks.
Best regards.
Seungho Lee
2018-12-25 10:40 PM
It sounds like you have enabled the winevent_snare parser.
Many of the meta you describe are disabled in the table-map.xml file
Have you tried enabling them to see the result?
2018-12-25 10:53 PM
Hi,
No, I didn't enable winevent_snare parser.
I just made as new for winevent_snare parser.
Could you please provide XML file of this?
Can I enable of all meta in the table-map.xml file?
It could be impact for performance of RSA?
Could you teach me how to enable simply?
Many thanks.
Best regards.
Seungho Lee
Sopra Steria
3 Fusionopolis Way, Symbiosis #12-27
138633 Singapore - Singapore
Phone: +65 7571 5999 - Mobile: +65 8287 7662
seungho.lee@soprasteria.com<mailto:oliver.chung@soprasteria.com> - www.soprasteria.sg<http://www.soprasteria.sg/>
The content of this message may be confidential, legally privileged and protected by law. Unauthorized use, copying or disclosure of any of it may be unlawful. If you are not the intended recipient please notify the sender and remove it from your system. While attachments to this e-mail are checked for viruses, we do not accept any liability for any damage sustained by viruses.
Before printing, think about the environment.
2018-12-25 10:58 PM
You need to download the winevent_snare parser from Live.
You can copy everything from the table-map.xml file and paste it in the table-map-custom.xml and then change all the flags=Transient to Flags=None
Once you do that reload the parsers and you will see a ton of new meta keys when you view the meta in the events tab. From there you can pick and choose what you would like to Index.
The impact to the system will be about a 15-20% high consumption of storage on the concentrator
2019-02-19 06:16 AM
Hi Dave.
Thanks for the reply.
I want to know 2 things more..
1. Can I know how to download the winevent_snare parser from Live?
2. And I want to do parser like this below for example
log -> a b c d e f g
message id(msg.id) -> b_d_e
Could you please teach me how to do like this combine at message id?